Audit Approved of Facebook Policies, Even After Cambridge Analytica Leak

An auditing firm responsible for monitoring Facebook for federal regulators told them last year that the company had sufficient privacy protections in place, even after the social media giant lost control of a huge trove of user data that was improperly obtained by the political consulting firm Cambridge Analytica.

The assertion, by PwC, came in a report submitted to the Federal Trade Commission in early 2017. The report, a redacted copy of which is available on the commission’s website, is one of several periodic reviews of Facebook’s compliance with a 2011 federal consent decree, which required Facebook to take wide-ranging steps to prevent the abuse of users’ information and to inform them how it was being shared with other companies.

The accounting firm, formerly known as PricewaterhouseCoopers, effectively gave Facebook a clean bill of health. “Facebook’s privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy” of users, said the assessment, which stretched from February 2015 to February 2017.

But during that period, Facebook was aware that a researcher based in Britain, Aleksandr Kogan, had provided Cambridge Analytica with private Facebook data from millions of users. Cambridge, which later worked for the Trump campaign, used the information to build psychological profiles of American voters before the 2016 election. Some details of Mr. Kogan’s work — though not the full scope of the data he had obtained — were revealed in an article in The Guardian in late 2015.

Facebook’s chief executive, Mark Zuckerberg, acknowledged to lawmakers this month that the company had not informed users that Cambridge had acquired their data. In testimony before the Senate, he said the company had previously accepted Cambridge’s assurances that it wasn’t using Mr. Kogan’s data and had deleted it.

“We considered it a closed case,” Mr. Zuckerberg said. “In retrospect, that was clearly a mistake.”

An investigation by The New York Times, The Observer and The Guardian last month found that Cambridge had obtained the private data of more than 50 million users without their consent. Facebook has since estimated that as many as 87 million users were affected.

Like its competitors, PwC closely protects the inner workings of its review process. The public versions of the reports it submits to the F.T.C. redact both the names of the employees who performed the work and the tests the firm used to assess Facebook’s privacy measures. It is not clear whether Facebook informed its auditors of the leak, or whether PwC knew about it.

In a statement, Facebook’s deputy chief privacy officer, Rob Sherman, said the company remained “strongly committed to protecting people’s information” and appreciated “the opportunity to answer questions the F.T.C. may have.”

A spokeswoman for PwC declined to comment.

The firm’s vetting of Facebook’s privacy practices revives questions about how diligently federal officials were overseeing Facebook. Last month, The Times reported that the F.T.C. was investigating whether Facebook had violated the consent decree.

“Clearly, the F.T.C. needs to be more forthcoming with the contents of those reports,” said Marc Rotenberg, president of the Electronic Privacy Information Center, which advocates more stringent privacy protections. “There is still too much that is not known about Facebook’s business practices during that critical time period.”

The 2011 decree — triggered in part by a complaint EPIC and other consumer groups filed — followed a two-year investigation that found Facebook had routinely ignored its users’ privacy preferences and shared their data without their permission. Besides demanding that Facebook give users more control over their data, the decree required the company to assess potential privacy risks. Facebook has acknowledged that it did not sufficiently police how third parties with access to its data, like Mr. Kogan, used the information.

F.T.C. officials hailed the consent decree as a new and powerful model for regulating tech giants like Facebook and Google, which in recent years have built immensely lucrative advertising businesses rooted in the vast quantities of data they collect from people who use their free services.

But critics of the agreement said it reflected the essential weakness of relying on an outside firm to evaluate Facebook’s compliance with the order. The F.T.C. is a relatively small agency, where even major investigations are handled by teams of just a few people. Instead of retaining a large staff of technology and data experts to monitor businesses, the agency makes companies hire outside accounting and consulting firms. These are paid by companies like Facebook and periodically report back to the F.T.C.

According to the assessment documents, Facebook chooses which policies and procedures PwC reviews.

“A conversation has to be had about how the F.T.C. handles these assessments,” said Joseph Jerome, policy counsel at the Center for Democracy and Technology, which is funded in part by Facebook and other tech companies. “Facebook decides how they are being assessed. It really stacks the deck in their favor.”

Gabriel J.X. Dance contributed reporting.

A version of this article appears in print on April 20, 2018, on Page A18 of the New York edition with the headline: Audit Approved of Facebook’s Policies. Order Reprints